An example non-transitory computer-readable medium includes instructions that, when executed by a processor, cause the processor to receive a request for data. The instructions also cause the processor to determine a region containing the data based on the metadata. The instructions cause the processor to traverse a tree in the metadata to determine key generation information relating a decryption key for the region to a root key.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, comprising: determining a computing device comprising a memory on a system on a chip (SOC) and a computer-readable medium is being booted for a first time; generating a system key to encrypt a region of the computer-readable medium containing system data and a user key to encrypt a region of the computer-readable medium containing user data; and storing information for generating the system key in a first branch of a tree on the computer-readable medium and information for generating the user key in a second branch of the tree different from the first branch, wherein the computer-readable medium includes an unencrypted metadata region to store the tree and to indicate locations of a plurality of regions of the computer-readable medium, wherein the unencrypted metadata region is signed by a platform key, wherein the platform key is derivable from key generation information obtained from the tree and a root key stored in the memory on the SOC.
2. The method of claim 1 , wherein generating the system key comprises generating a migratable key based on the root key, generating a master system key based on the migratable key, and generating the system key based on the master system key.
3. The method of claim 2 , further comprising storing information for generating the migratable key from the root key in the tree as a child of a root node and information for generating the master system key from the migratable key as a grandchild of the root node beneath the child.
4. The method of claim 1 , wherein generating the user key comprises generating the user key based on a user-configured passphrase.
5. The method of claim 1 , further comprising: generating a volatile key to encrypt a region of the computer-readable medium containing transient data; determining the computing device is entering a sleep state; and storing information for generating the volatile key in a third branch of the tree.
6. The method of claim 1 , further comprising: storing the root key.
7. The method of claim 6 , further comprising: receiving a request for the system data; determining a first region of the plurality of regions of the computer-readable medium containing the system data based on the unencrypted metadata region; and traversing the tree in the unencrypted metadata region to determine key generation information relating a decryption key for the first region to the root key.
8. The method of claim 7 , further comprising: retrieving the key generation information for the first of the plurality of regions of the computer-readable medium from the tree; generating the decryption key for the first region based on the root key and the key generation information; and decrypting the system data from the region using the decryption key.
9. The method of claim 7 , wherein the key generation information includes an encrypted copy of the decryption key.
10. The method of claim 7 , wherein the decryption key is stored in a volatile buffer.
11. The method of claim 6 , wherein the key generation information includes a random number to compute the decryption key for the system data from the root key.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
March 21, 2016
November 24, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.